Complex cyber attacks, including ransomware, make it difficult for victims to respond alone — often requiring specific technical and legal experts, including third-party experts, like cyber incident response firms, ransomware negotiators, law firms, and cyber insurers, to stop or limit any operational and reputational damage associated with the loss of sensitive data.
As a result, third-party experts play a significant role in shaping ransomware incident response efforts, especially when ransomware attacks have become more damaging, audacious, and widespread over recent years. The high cost of retaining these experts can make responding to a ransomware attack difficult for all but the most well-financed businesses. According to a recent IBM report, the average total cost of a ransomware attack is $4.62 million.
Policymakers in many countries are currently debating how far governments should intervene to address the economic externality. In theory, there are several ways in which states can seek to internalize externalities, including laws, regulations, and taxes. In practice, there are no easy solutions, and measures often involve important trade-offs, not least because of the potential for unintended consequences.
Insurance is crucial in helping businesses cover a range of first- and third-party losses brought on by ransomware. Cyber insurance can assemble the proper team of specialists, such as legal counsel and computer forensic analysts, to evaluate the incident and suggest an appropriate course of action after an attack.
Companies can select standalone policies exclusively covering cyber risk or broader liability policies that also cover cyber incidents, like ransomware attacks.
As of 2020, United States-domiciled insurers reported roughly $1.62 billion in direct written premiums for standalone cyber insurance policies and $1.13 billion in direct written premiums for cyber coverage as part of broader insurance policies. During 2020 alone, standalone cybersecurity insurance direct written premiums increased by 28.1 percent.
Cyber insurance policies cover risk categories, including liability for suffering a data breach, breach remediation costs, and coverage for legal or regulatory penalties. In particular, this often covers costs associated with business interruption, notifying consumers after a breach, providing credit monitoring services, and restoring or replacing impacted systems. Many cyber insurance policies also cover costs associated with ransomware attacks. Also, as discussed in the next subsection, cyber insurance policies often cover the cost of retaining outside legal counsel.
Because coverage determinations and premiums are based on risk, cyber insurance can also incentivize better cyber hygiene and adherence to practices that reduce the risk of ransomware attacks.
These include discouraging policyholders from configuring their networks in ways that expose them to unnecessary risk. Policyholders have a significant interest in implementing these measures because doing so demonstrates to insurers that the policyholder has an effective cybersecurity program that reduces cyber risk, thereby reducing insurance premiums. Nonetheless, cyber insurance may also incentivize ransomware attackers by assuring ransom payment. As discussed below, some ransomware attackers will even seek out cyber insurance policy information to aid in their negotiations with victims.
Although more companies now have cyber insurance policies, this market still has significant cost uncertainty. More attacks mean more demand for cyber insurance and higher premiums as insurers take on more risk. During the last quarter of 2020 alone, a survey of insurance brokers showed a 10 to 30 percent increase in cyber insurance prices. Similarly, the attack frequency and severity have caused insurers to scale back cyber coverage for at-risk sectors like healthcare and education.
To minimize risk, many cyber insurance providers now rely on reinsurance. Reinsurance allows insurers to mitigate risk by insuring the policy they are providing to a customer with a third-party insurer in return for a percentage of the premiums. Outsized risk for insurers could cause significant changes to the cyber insurance products offered to customers or even a decline in the number of insurers offering cyber policies altogether. According to one cyber insurer, this scenario would remove a valuable risk management strategy for organizations with substantial cyber exposure.
Better outcomes for the insured
Most insurers think that consulting independent experts in the wake of ransomware attacks enables the affected businesses to make wise choices, particularly in fields in which they lack expertise. In addition to being in a position to evaluate the legitimacy of the threat, including the viability of the decryption keys and the likelihood of restoring operations, experts also bring negotiating skills that can help lower the ransom paid. In line with that, despite increased attempts by criminals to use data exfiltration and other techniques to extort their victims, it is reported that the ratio of average ransom payments to initial ransom demands has decreased. Utilizing specialized intermediaries can also lessen the operational challenges a ransomware attack brings, such as locating cryptocurrency to make payment and ensuring the ransom recipient is not subject to anti-money laundering or criminal sanctions.
Additionally, policyholders almost always keep the services of ransom brokers. Insurance companies may introduce policyholders to middlemen, but they only get involved after the negotiation and payment processes have been concluded to a large extent. To determine the best course of action based on costs and benefits to the victim, including the operations and data affected and the degree of any business interruption, the brokers closely collaborate with the insured’s IT team. These paid advisors typically work in the background to coordinate with law enforcement while negotiating with threat actors. The objective is to determine whether data can be recovered from backups and how likely a ransomware gang will give back any stolen information.
The victim company will ultimately decide how to react to the extortion. However, even if that results in an insurance payout for the costs of remediation, the intelligence offered by a ransom negotiator can persuade the insured not to pay (for instance, if the negotiator has prior experience with the threat actor not releasing effective decryption keys). Even though many insurance policies demand the insurer’s approval before paying a ransom, this is not always the case.
Improving overall cyber hygiene standards
In addition to assisting the insured in coping with an attack, insurance can promote risk avoidance and good cyber hygiene. Insurance can provide organizations with incentives to adopt crucial cybersecurity best practices through premium discounts, co-insurance, retention agreements, and coverage limits (for example, investing in state-of-the-art backup systems, endpoint and anti-virus protection, implementing the latest software patches, and security awareness training for all employees). All of these should work to lower rather than raise the likelihood of encountering ransomware attacks. Most corporate respondents to a recent survey by Marsh/Microsoft stated that insurance is a crucial component of their cyber-risk management strategy, and 41% said that the insurers’ requirements affected their decision to strengthen current controls or adopt new ones.
Confronting a ransomware attack with insurance
Insurers are providing more and more pre- and post-incident services to assist policyholders in thwarting, minimizing, and responding to cyberattacks. These services support ransomware victims in addition to the traditional loss indemnification function of cyber insurance by covering expenses for data restoration or decryption and paying businesses for revenue lost due to business interruption or system failure.
When a company applies for cyber insurance, the underwriting procedure frequently reveals gaps in its cybersecurity posture and offers advice for bolstering its cyber resilience. Some carriers can continuously observe information about the networks of their policyholders and applicants (directly or through partnerships with cybersecurity experts), alerting the insured to any potential security flaws. Those problems can be resolved in many instances, allowing businesses to prevent or lessen an attack.
Several insurers also provide goods and services to help policyholders prevent and/or prepare for a ransomware event, such as employee training and testing, vulnerability scans, incident preparedness drills, and consultations with attorneys and loss prevention/security experts. These related services are becoming more and more necessary for cyber insurance solutions. According to a recent survey, 62% of CEOs think network security tools, such as firewalls, should always be provided as part of cyber insurance.
External experts who are frequently hired to respond to a ransomware attack, such as legal counsel, forensic investigators, and ransomware negotiators, typically charge fees covered by cyber insurance policies. Although insurers have established connections with these specialists and can connect a policyholder with the appropriate vendor right away, which is crucial in a crisis, the vendor will forge a relationship with the policyholder and become that person’s client, not the insurer.